Switch client and server to communicate over TLS
Issue-ID: AAF-1084
Signed-off-by: Adam WudziĆski <adam.wudzinski@nokia.com>
Change-Id: I7f11b27c7dcdf4fc3eba2d5e64b6dc775c80dd74
diff --git a/Makefile b/Makefile
index 1e4f871..45ffb48 100644
--- a/Makefile
+++ b/Makefile
@@ -23,6 +23,8 @@
--env-file ./compose-resources/client-configuration.env \
--network certservice_certservice \
--mount type=bind,src=`pwd`/compose-resources/client-volume/,dst=/var/certs \
+ --volume `pwd`/certs/truststore.jks:/etc/onap/aaf/certservice/certs/truststore.jks \
+ --volume `pwd`/certs/certServiceClient-keystore.jks:/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks \
onap/org.onap.aaf.certservice.aaf-certservice-client:latest
stop-client:
diff --git a/README.md b/README.md
index 8fabbee..2db3abf 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,14 @@
make build
```
+### Generating certificates
+There are example certificates already generated in certs/ directory.
+In order to generate new certificates, first remove existing ones.
+Then execute following command from certs(!) directory:
+```
+ make
+```
+
### Running Docker containers from docker-compose with EJBCA
Docker-compose uses a local image of certservice-api and make run-client uses a local image of certservice-client
Build docker images locally before running docker compose command.
diff --git a/certService/helm/aaf-cert-service/resources/certServiceClient-keystore.jks b/certService/helm/aaf-cert-service/resources/certServiceClient-keystore.jks
new file mode 100644
index 0000000..f24908c
--- /dev/null
+++ b/certService/helm/aaf-cert-service/resources/certServiceClient-keystore.jks
Binary files differ
diff --git a/certService/helm/aaf-cert-service/resources/certServiceServer-keystore.jks b/certService/helm/aaf-cert-service/resources/certServiceServer-keystore.jks
new file mode 100644
index 0000000..89605b6
--- /dev/null
+++ b/certService/helm/aaf-cert-service/resources/certServiceServer-keystore.jks
Binary files differ
diff --git a/certService/helm/aaf-cert-service/resources/certServiceServer-keystore.p12 b/certService/helm/aaf-cert-service/resources/certServiceServer-keystore.p12
new file mode 100644
index 0000000..2106c81
--- /dev/null
+++ b/certService/helm/aaf-cert-service/resources/certServiceServer-keystore.p12
Binary files differ
diff --git a/certService/helm/aaf-cert-service/resources/root.crt b/certService/helm/aaf-cert-service/resources/root.crt
new file mode 100644
index 0000000..faeee81
--- /dev/null
+++ b/certService/helm/aaf-cert-service/resources/root.crt
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFlDCCA3ygAwIBAgIETsAy8jANBgkqhkiG9w0BAQwFADByMQswCQYDVQQGEwJQ
+TDEUMBIGA1UECBMLRG9sbnkgU2xhc2sxEDAOBgNVBAcTB1dyb2NsYXcxFTATBgNV
+BAoTDFJvb3QgQ29tcGFueTERMA8GA1UECxMIUm9vdCBPcmcxETAPBgNVBAMTCHJv
+b3QuY29tMB4XDTIwMDQwMzA5MTYxNloXDTMwMDQwMTA5MTYxNlowcjELMAkGA1UE
+BhMCUEwxFDASBgNVBAgTC0RvbG55IFNsYXNrMRAwDgYDVQQHEwdXcm9jbGF3MRUw
+EwYDVQQKEwxSb290IENvbXBhbnkxETAPBgNVBAsTCFJvb3QgT3JnMREwDwYDVQQD
+Ewhyb290LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAImm68wu
+rtdkVrC5JI2y53+DoVE4al7NxC2yHeVW0PRD3CgW1xba6dlSQoDQQKkDkxtuNhlU
+IQxU1bbKR6syqJgpJXwSDx4sl4J5lQGWN+iuNA72C1IyXATOgowGq6PbOVVTkApy
+3+ZZGBCmweTjhvddAO7k5p8v+ePt17VvBTxSt6rSvrkGMbpCxBGAPfGpL9xykm9Z
+okVSlA42gGhbra499QTT0Yc/WPPFotKkDKFGaDrLW3NYX1Lio11myYNvLOMwfSEV
+Xy9vkwxcdqFJpHjx+EVLLQXwkudZP+D53N4bk8nP3SacbZSQ/A85mZpWNtw+r9QL
+fZGecY1YIR0udLj66CIG3ybl3gSXX7TSRERTIMR6Um1lt+039FSa18mRBpQTCDXV
+tSL58Qs5BHFkCe0sGpY+XiSEypc6oYPf/7YjiTvMT/mHhDffrvFjhK+wP/oCIg8u
+vuPRoPWuyw41bBeFGitJgDn7E8p9B4K/1DCO/ZcjXiYMgn5Hwb3ojablYUeiXs99
+2AAV8gCceUCdgcP8d6wdAydOVljavkgHPG0IMbiVG1WT57oM3HQpejgpujlKDDsI
+bi9/lbcC/U0JoN9yAaJZFr7CXJrxRv8DWeTwzMTo203KHNu9roQiERd38P8Dp6AQ
+ivmqf0+0VZM3IpjWBYKM68tclHJcG+7wyFjvAgMBAAGjMjAwMB0GA1UdDgQWBBSN
+lFyR56zh67mnvYTmmgJQVxEJrjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB
+DAUAA4ICAQBczmFY0kmr1FK50glkT282ur0vukNtwXQNJONof3rYRqP2W98jID6D
+ayma0B4/H1EqCa0d66wRBxFdwW+MqOc4uWD3uUwgazrYD/Bv+V3aumaw8yX6vbyL
+hLNfpd4pViAEGtzYxYfMfFR6uzInF3NMpvt8OXCSGKiQjDMnMs0ekvUZLJm7yxwT
+Qr9aAEFYQYM/GstUC6qFfuUa4MaGvmyKWhZ10JoKXYbGGeFU4wI7Kzifh3VvawTg
+r314ZvQ3zpEwzNJpdvT5ZKuPvyN+drAKFpSPfOTFmmb3uF95FgYq33OFPpo7SR43
+tnw5u5YqKnsHmqCIRMctWiYZc8rBJ3+eBGmke6z/AN6FraG6Ejc8e4WPclrB8STb
++oB3a4Cvri1VHyodkm50Sb/d1FAMDXvzEPBfu2D0dVvOwOcISSN/MQUom8NN4YeI
+aEATdAPNkokgehOzZ1OPRv47FKYEVPCXjaZEWAC7NNmNiRn4RQOti0DlNrLL7Nx9
+vK09G0EnW01MO2ARRkZ3dog+Ph7orJQV3sd7TO4EEortqWtbegSH75ylyYw6rt/j
+uBzYtMOnEtnQKhxj4Wj7PO+StCgspoOByn0d+iSgDd2TlpWm4naP2pfFZT0R+TOH
+wzSH0F47TSfRd0++uEz/QhViybrvQK7yMt1G1YwZp2im+imuWwUC8Q==
+-----END CERTIFICATE-----
diff --git a/certService/helm/aaf-cert-service/resources/truststore.jks b/certService/helm/aaf-cert-service/resources/truststore.jks
new file mode 100644
index 0000000..c32d37f
--- /dev/null
+++ b/certService/helm/aaf-cert-service/resources/truststore.jks
Binary files differ
diff --git a/certService/helm/aaf-cert-service/templates/deployment.yaml b/certService/helm/aaf-cert-service/templates/deployment.yaml
index f8b2d43..f4a28f4 100644
--- a/certService/helm/aaf-cert-service/templates/deployment.yaml
+++ b/certService/helm/aaf-cert-service/templates/deployment.yaml
@@ -16,27 +16,52 @@
- name: {{ .Values.volume.name }}
secret:
secretName: {{ .Values.secret.name }}
+ - name: {{ .Values.tls.server.volume.name }}
+ secret:
+ secretName: {{ .Values.tls.server.secret.name }}
containers:
- name: aaf-cert-service
image: {{ .Values.repository }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.pullPolicy }}
ports:
- containerPort: {{ .Values.containerPort }}
+ env:
+ - name: HTTPS_PORT
+ value: "{{ .Values.containerPort }}"
+ - name: KEYSTORE_PATH
+ value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.keystore.jksName }}"
+ - name: KEYSTORE_P12_PATH
+ value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.keystore.p12Name }}"
+ - name: TRUSTSTORE_PATH
+ value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.truststore.jksName }}"
+ - name: ROOT_CERT
+ value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.truststore.crtName }}"
+ - name: KEYSTORE_PASSWORD
+ value: "{{ .Values.envs.keystore.password }}"
+ - name: TRUSTSTORE_PASSWORD
+ value: "{{ .Values.envs.truststore.password }}"
livenessProbe:
- httpGet:
- port: {{ .Values.containerPort }}
- path: {{ .Values.liveness.path }}
+ exec:
+ command:
+ - /bin/bash
+ - -c
+ - {{ .Values.liveness.command }}
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
readinessProbe:
- httpGet:
- port: {{ .Values.containerPort }}
- path: {{ .Values.readiness.path }}
+ exec:
+ command:
+ - /bin/bash
+ - -c
+ - {{ .Values.readiness.command }}
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
volumeMounts:
- name: {{ .Values.volume.name }}
mountPath: {{ .Values.volume.mountPath }}
readOnly: true
+ - name: {{ .Values.tls.server.volume.name }}
+ mountPath: {{ .Values.tls.server.volume.mountPath }}
+ readOnly: true
resources:
{{ toYaml .Values.resources }}
diff --git a/certService/helm/aaf-cert-service/templates/secret_client_tls.yaml b/certService/helm/aaf-cert-service/templates/secret_client_tls.yaml
new file mode 100644
index 0000000..b80a4af
--- /dev/null
+++ b/certService/helm/aaf-cert-service/templates/secret_client_tls.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ .Values.tls.client.secret.name }}
+type: Opaque
+data:
+ certServiceClient-keystore.jks:
+ {{ (.Files.Glob "resources/certServiceClient-keystore.jks").AsSecrets }}
+ truststore.jks:
+ {{ (.Files.Glob "resources/truststore.jks").AsSecrets }}
diff --git a/certService/helm/aaf-cert-service/templates/secret_server_tls.yaml b/certService/helm/aaf-cert-service/templates/secret_server_tls.yaml
new file mode 100644
index 0000000..535e3db
--- /dev/null
+++ b/certService/helm/aaf-cert-service/templates/secret_server_tls.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ .Values.tls.server.secret.name }}
+type: Opaque
+data:
+ certServiceServer-keystore.jks:
+ {{ (.Files.Glob "resources/certServiceServer-keystore.jks").AsSecrets }}
+ certServiceServer-keystore.p12:
+ {{ (.Files.Glob "resources/certServiceServer-keystore.p12").AsSecrets }}
+ truststore.jks:
+ {{ (.Files.Glob "resources/truststore.jks").AsSecrets }}
+ root.crt:
+ {{ (.Files.Glob "resources/root.crt").AsSecrets }}
\ No newline at end of file
diff --git a/certService/helm/aaf-cert-service/templates/service.yaml b/certService/helm/aaf-cert-service/templates/service.yaml
index fba7e5f..f3c0ee0 100644
--- a/certService/helm/aaf-cert-service/templates/service.yaml
+++ b/certService/helm/aaf-cert-service/templates/service.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
kind: Service
metadata:
- name: {{ .Chart.Name }}-service
+ name: {{ .Chart.Name }}
spec:
type: {{ .Values.service.type }}
selector:
diff --git a/certService/helm/aaf-cert-service/values.yaml b/certService/helm/aaf-cert-service/values.yaml
index 0dab1e3..efb16a5 100644
--- a/certService/helm/aaf-cert-service/values.yaml
+++ b/certService/helm/aaf-cert-service/values.yaml
@@ -3,17 +3,17 @@
repository: nexus3.onap.org:10001
image: onap/org.onap.aaf.certservice.aaf-certservice-api:1.0.0
pullPolicy: Always
-containerPort: 8080
+containerPort: 8443
service:
type: ClusterIP
liveness:
initialDelaySeconds: 60
periodSeconds: 10
- path: /actuator/health
+ command: curl https://localhost:$HTTPS_PORT/actuator/health --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD
readiness:
initialDelaySeconds: 30
periodSeconds: 10
- path: /ready
+ command: curl https://localhost:$HTTPS_PORT/ready --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD
volume:
name: aaf-cert-service-volume
mountPath: /etc/onap/aaf/certservice
@@ -28,3 +28,25 @@
secret:
name: aaf-cert-service-secret
+
+tls:
+ server:
+ secret:
+ name: aaf-cert-service-server-tls-secret
+ volume:
+ name: aaf-cert-service-server-tls-volume
+ mountPath: /etc/onap/aaf/certservice/certs/
+ client:
+ secret:
+ name: aaf-cert-service-client-tls-secret
+
+envs:
+ keystore:
+ jksName: certServiceServer-keystore.jks
+ p12Name: certServiceServer-keystore.p12
+ password: secret
+ truststore:
+ jksName: truststore.jks
+ crtName: root.crt
+ password: secret
+
diff --git a/certService/src/main/resources/application.properties b/certService/src/main/resources/application.properties
index 9ccdd32..c5d1437 100644
--- a/certService/src/main/resources/application.properties
+++ b/certService/src/main/resources/application.properties
@@ -9,3 +9,14 @@
# AAF CertService app specific configuration
app.config.path=/etc/onap/aaf/certservice
+
+# Mutual TLS configuration
+server.ssl.enabled=true
+server.ssl.client-auth=need
+server.port=${HTTPS_PORT:8443}
+
+server.ssl.key-store=${KEYSTORE_PATH:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.jks}
+server.ssl.key-store-password=${KEYSTORE_PASSWORD:secret}
+
+server.ssl.trust-store=${TRUSTSTORE_PATH:/etc/onap/aaf/certservice/certs/truststore.jks}
+server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD:secret}
diff --git a/certService/src/test/resources/application.properties b/certService/src/test/resources/application.properties
index 3900157..b70ab3b 100644
--- a/certService/src/test/resources/application.properties
+++ b/certService/src/test/resources/application.properties
@@ -1,2 +1,13 @@
# AAF CertService app specific configuration
app.config.path=./src/test/resources
+
+# Mutual TLS configuration
+server.ssl.enabled=true
+server.ssl.client-auth=need
+server.port=${HTTPS_PORT:8443}
+
+server.ssl.key-store=${KEYSTORE_PATH:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.jks}
+server.ssl.key-store-password=${KEYSTORE_PASSWORD:secret}
+
+server.ssl.trust-store=${TRUSTSTORE_PATH:/etc/onap/aaf/certservice/certs/truststore.jks}
+server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD:secret}
\ No newline at end of file
diff --git a/certServiceClient/README.md b/certServiceClient/README.md
index 7748b29..43d732c 100644
--- a/certServiceClient/README.md
+++ b/certServiceClient/README.md
@@ -43,6 +43,10 @@
STATE=California
COUNTRY=US
SANS=example.com:example2.com
+KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks
+KEYSTORE_PASSWORD=secret
+TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/truststore.jks
+TRUSTSTORE_PASSWORD=secret
```
### Logs locally
diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/CertServiceClient.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/CertServiceClient.java
index 0916bb8..1b5b8ee 100644
--- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/CertServiceClient.java
+++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/CertServiceClient.java
@@ -19,26 +19,30 @@
package org.onap.aaf.certservice.client;
-import java.security.KeyPair;
import org.onap.aaf.certservice.client.api.ExitableException;
-import org.onap.aaf.certservice.client.certification.PrivateKeyToPemEncoder;
import org.onap.aaf.certservice.client.certification.CsrFactory;
import org.onap.aaf.certservice.client.certification.KeyPairFactory;
+import org.onap.aaf.certservice.client.certification.PrivateKeyToPemEncoder;
import org.onap.aaf.certservice.client.certification.conversion.KeystoreTruststoreCreator;
import org.onap.aaf.certservice.client.certification.conversion.KeystoreTruststoreCreatorFactory;
import org.onap.aaf.certservice.client.common.Base64Encoder;
import org.onap.aaf.certservice.client.configuration.EnvsForClient;
import org.onap.aaf.certservice.client.configuration.EnvsForCsr;
+import org.onap.aaf.certservice.client.configuration.EnvsForTls;
import org.onap.aaf.certservice.client.configuration.factory.ClientConfigurationFactory;
import org.onap.aaf.certservice.client.configuration.factory.CsrConfigurationFactory;
+import org.onap.aaf.certservice.client.configuration.factory.SslContextFactory;
import org.onap.aaf.certservice.client.configuration.model.ClientConfiguration;
import org.onap.aaf.certservice.client.configuration.model.CsrConfiguration;
-import org.onap.aaf.certservice.client.httpclient.CloseableHttpClientProvider;
+import org.onap.aaf.certservice.client.httpclient.CloseableHttpsClientProvider;
import org.onap.aaf.certservice.client.httpclient.HttpClient;
import org.onap.aaf.certservice.client.httpclient.model.CertServiceResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import javax.net.ssl.SSLContext;
+import java.security.KeyPair;
+
import static org.onap.aaf.certservice.client.api.ExitStatus.SUCCESS;
import static org.onap.aaf.certservice.client.certification.EncryptionAlgorithmConstants.KEY_SIZE;
import static org.onap.aaf.certservice.client.certification.EncryptionAlgorithmConstants.RSA_ENCRYPTION_ALGORITHM;
@@ -62,9 +66,10 @@
CsrConfiguration csrConfiguration = new CsrConfigurationFactory(new EnvsForCsr()).create();
KeyPair keyPair = keyPairFactory.create();
CsrFactory csrFactory = new CsrFactory(csrConfiguration);
+ SSLContext sslContext = new SslContextFactory(new EnvsForTls()).create();
- CloseableHttpClientProvider provider = new CloseableHttpClientProvider(
- clientConfiguration.getRequestTimeout());
+ CloseableHttpsClientProvider provider = new CloseableHttpsClientProvider(
+ sslContext, clientConfiguration.getRequestTimeout());
HttpClient httpClient = new HttpClient(provider, clientConfiguration.getUrlToCertService());
CertServiceResponse certServiceData =
@@ -74,7 +79,7 @@
base64Encoder.encode(pkEncoder.encodePrivateKeyToPem(keyPair.getPrivate())));
KeystoreTruststoreCreator filesCreator = new KeystoreTruststoreCreatorFactory(
- clientConfiguration.getCertsOutputPath()).create();
+ clientConfiguration.getCertsOutputPath()).create();
filesCreator.createKeystore(certServiceData.getCertificateChain(), keyPair.getPrivate());
filesCreator.createTruststore(certServiceData.getTrustedCertificates());
} catch (ExitableException e) {
diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/api/ExitStatus.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/api/ExitStatus.java
index c474fd0..78ecc77 100644
--- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/api/ExitStatus.java
+++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/api/ExitStatus.java
@@ -28,7 +28,8 @@
CERT_SERVICE_API_CONNECTION_EXCEPTION(5,"CertService HTTP unsuccessful response"),
HTTP_CLIENT_EXCEPTION(6,"Internal HTTP Client connection problem"),
PKCS12_CONVERSION_EXCEPTION(7,"Fail in PKCS12 conversion"),
- PK_TO_PEM_ENCODING_EXCEPTION(8,"Fail in Private Key to PEM Encoding");
+ PK_TO_PEM_ENCODING_EXCEPTION(8,"Fail in Private Key to PEM Encoding"),
+ TLS_CONFIGURATION_EXCEPTION(9, "Invalid TLS configuration");
private final int value;
private final String message;
diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/EnvsForTls.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/EnvsForTls.java
new file mode 100644
index 0000000..b2f782c
--- /dev/null
+++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/EnvsForTls.java
@@ -0,0 +1,47 @@
+/*
+ * ============LICENSE_START=======================================================
+ * aaf-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.aaf.certservice.client.configuration;
+
+import java.util.Optional;
+
+public class EnvsForTls {
+ private final EnvProvider envProvider = new EnvProvider();
+
+ public Optional<String> getKeystorePath() {
+ return readEnv(TlsConfigurationEnvs.KEYSTORE_PATH);
+ }
+
+ public Optional<String> getKeystorePassword() {
+ return readEnv(TlsConfigurationEnvs.KEYSTORE_PASSWORD);
+ }
+
+ public Optional<String> getTruststorePath() {
+ return readEnv(TlsConfigurationEnvs.TRUSTSTORE_PATH);
+ }
+
+ public Optional<String> getTruststorePassword() {
+ return readEnv(TlsConfigurationEnvs.TRUSTSTORE_PASSWORD);
+ }
+
+ private Optional<String> readEnv(TlsConfigurationEnvs envName) {
+ return envProvider.readEnvVariable(envName.toString());
+ }
+}
diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/TlsConfigurationEnvs.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/TlsConfigurationEnvs.java
new file mode 100644
index 0000000..4009a08
--- /dev/null
+++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/TlsConfigurationEnvs.java
@@ -0,0 +1,28 @@
+/*
+ * ============LICENSE_START=======================================================
+ * aaf-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.aaf.certservice.client.configuration;
+
+public enum TlsConfigurationEnvs {
+ KEYSTORE_PATH,
+ KEYSTORE_PASSWORD,
+ TRUSTSTORE_PATH,
+ TRUSTSTORE_PASSWORD
+}
diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/exception/TlsConfigurationException.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/exception/TlsConfigurationException.java
new file mode 100644
index 0000000..a10185b
--- /dev/null
+++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/exception/TlsConfigurationException.java
@@ -0,0 +1,36 @@
+/*
+ * ============LICENSE_START=======================================================
+ * aaf-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.aaf.certservice.client.configuration.exception;
+
+import org.onap.aaf.certservice.client.api.ExitStatus;
+import org.onap.aaf.certservice.client.api.ExitableException;
+
+public class TlsConfigurationException extends ExitableException {
+ private static final ExitStatus EXIT_STATUS = ExitStatus.CERT_SERVICE_API_CONNECTION_EXCEPTION;
+
+ public TlsConfigurationException(String message) {
+ super(message);
+ }
+
+ public ExitStatus applicationExitStatus() {
+ return EXIT_STATUS;
+ }
+}
diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/CsrConfigurationFactory.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/CsrConfigurationFactory.java
index a94c906..1d4cf2b 100644
--- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/CsrConfigurationFactory.java
+++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/CsrConfigurationFactory.java
@@ -27,12 +27,12 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+
public class CsrConfigurationFactory extends AbstractConfigurationFactory<CsrConfiguration> {
private static final Logger LOGGER = LoggerFactory.getLogger(CsrConfigurationFactory.class);
private final EnvsForCsr envsForCsr;
-
public CsrConfigurationFactory(EnvsForCsr envsForCsr) {
this.envsForCsr = envsForCsr;
}
diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactory.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactory.java
new file mode 100644
index 0000000..ef74d83
--- /dev/null
+++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactory.java
@@ -0,0 +1,85 @@
+/*============LICENSE_START=======================================================
+ * aaf-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.aaf.certservice.client.configuration.factory;
+
+import org.apache.http.ssl.SSLContexts;
+import org.onap.aaf.certservice.client.configuration.EnvsForTls;
+import org.onap.aaf.certservice.client.configuration.TlsConfigurationEnvs;
+import org.onap.aaf.certservice.client.configuration.exception.TlsConfigurationException;
+
+import javax.net.ssl.SSLContext;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+
+public class SslContextFactory {
+
+ private static final String JKS = "jks";
+
+ private EnvsForTls envsForTls;
+
+ public SslContextFactory(EnvsForTls envsForTls) {
+ this.envsForTls = envsForTls;
+ }
+
+ public SSLContext create() throws TlsConfigurationException {
+ String keystorePath = envsForTls.getKeystorePath()
+ .orElseThrow(() -> new TlsConfigurationException(createEnvMissingMessage(TlsConfigurationEnvs.KEYSTORE_PATH)));
+ String keystorePassword = envsForTls.getKeystorePassword()
+ .orElseThrow(() -> new TlsConfigurationException(createEnvMissingMessage(TlsConfigurationEnvs.KEYSTORE_PASSWORD)));
+ String truststorePath = envsForTls.getTruststorePath()
+ .orElseThrow(() -> new TlsConfigurationException(createEnvMissingMessage(TlsConfigurationEnvs.TRUSTSTORE_PATH)));
+ String truststorePassword = envsForTls.getTruststorePassword()
+ .orElseThrow(() -> new TlsConfigurationException(createEnvMissingMessage(TlsConfigurationEnvs.TRUSTSTORE_PASSWORD)));
+
+ return createSSLContext(keystorePath, keystorePassword, truststorePath, truststorePassword);
+ }
+
+ private String createEnvMissingMessage(TlsConfigurationEnvs keystorePath) {
+ return String.format("%s env is missing.", keystorePath);
+ }
+
+ private KeyStore setupKeystore(String keystorePath, String certPassword)
+ throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
+ KeyStore keyStore = KeyStore.getInstance(JKS);
+ FileInputStream identityKeyStoreFile = new FileInputStream(new File(
+ keystorePath));
+ keyStore.load(identityKeyStoreFile, certPassword.toCharArray());
+ return keyStore;
+ }
+
+ private SSLContext createSSLContext(String keystorePath, String keystorePassword, String truststorePath, String truststorePassword) throws TlsConfigurationException {
+ try {
+ KeyStore identityKeystore = setupKeystore(keystorePath, keystorePassword);
+ KeyStore trustKeystore = setupKeystore(truststorePath, truststorePassword);
+
+ return SSLContexts.custom()
+ .loadKeyMaterial(identityKeystore, keystorePassword.toCharArray())
+ .loadTrustMaterial(trustKeystore, null)
+ .build();
+ } catch (Exception e) {
+ throw new TlsConfigurationException("TLS configuration exception: " + e);
+ }
+ }
+}
diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/model/ClientConfiguration.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/model/ClientConfiguration.java
index ff2db83..2ac481d 100644
--- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/model/ClientConfiguration.java
+++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/configuration/model/ClientConfiguration.java
@@ -25,7 +25,7 @@
public class ClientConfiguration implements ConfigurationModel {
private static final Integer DEFAULT_TIMEOUT_MS = 30000;
- private static final String DEFAULT_REQUEST_URL = "http://aaf-cert-service-service:8080/v1/certificate/";
+ private static final String DEFAULT_REQUEST_URL = "https://aaf-cert-service:8443/v1/certificate/";
private String urlToCertService;
private Integer requestTimeout;
diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/CloseableHttpClientProvider.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/CloseableHttpsClientProvider.java
similarity index 80%
rename from certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/CloseableHttpClientProvider.java
rename to certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/CloseableHttpsClientProvider.java
index 5ad933f..3b7a46a 100644
--- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/CloseableHttpClientProvider.java
+++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/CloseableHttpsClientProvider.java
@@ -24,11 +24,15 @@
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
-public class CloseableHttpClientProvider {
+import javax.net.ssl.SSLContext;
+
+public class CloseableHttpsClientProvider {
private final int timeout;
+ private final SSLContext sslContext;
- public CloseableHttpClientProvider(int timeout) {
+ public CloseableHttpsClientProvider(SSLContext sslContext, int timeout) {
+ this.sslContext = sslContext;
this.timeout = timeout;
}
@@ -39,6 +43,9 @@
.setConnectTimeout(timeout)
.setSocketTimeout(timeout)
.build();
- return HttpClientBuilder.create().setDefaultRequestConfig(config).build();
+
+ return HttpClientBuilder.create()
+ .setSSLContext(sslContext)
+ .setDefaultRequestConfig(config).build();
}
}
diff --git a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/HttpClient.java b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/HttpClient.java
index 7512830..0780afa 100644
--- a/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/HttpClient.java
+++ b/certServiceClient/src/main/java/org/onap/aaf/certservice/client/httpclient/HttpClient.java
@@ -44,10 +44,10 @@
private static final String CHARSET_UTF_8 = "UTF-8";
private final Gson gson = new Gson();
- private final CloseableHttpClientProvider httpClientProvider;
+ private final CloseableHttpsClientProvider httpClientProvider;
private final String certServiceAddress;
- public HttpClient(CloseableHttpClientProvider httpClientProvider, String certServiceAddress) {
+ public HttpClient(CloseableHttpsClientProvider httpClientProvider, String certServiceAddress) {
this.httpClientProvider = httpClientProvider;
this.certServiceAddress = certServiceAddress;
}
diff --git a/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactoryTest.java b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactoryTest.java
new file mode 100644
index 0000000..e71e989
--- /dev/null
+++ b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/factory/SslContextFactoryTest.java
@@ -0,0 +1,197 @@
+/*
+ * ============LICENSE_START=======================================================
+ * aaf-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.aaf.certservice.client.configuration.factory;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.onap.aaf.certservice.client.configuration.EnvsForTls;
+import org.onap.aaf.certservice.client.configuration.exception.TlsConfigurationException;
+
+import javax.net.ssl.SSLContext;
+import java.util.Optional;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.Mockito.when;
+
+
+@ExtendWith(MockitoExtension.class)
+public class SslContextFactoryTest {
+
+ public static final String INVALID_KEYSTORE_PATH = "nonexistent/keystore";
+ public static final String VALID_KEYSTORE_NAME = "keystore.jks";
+ public static final String VALID_KEYSTORE_PASSWORD = "secret";
+ public static final String INVALID_KEYSTORE_PASSWORD = "wrong_secret";
+ public static final String INVALID_TRUSTSTORE_PATH = "nonexistent/truststore";
+ public static final String VALID_TRUSTSTORE_PASSWORD = "secret";
+ public static final String INVALID_TRUSTSTORE_PASSWORD = "wrong_secret";
+ public static final String VALID_TRUSTSTORE_NAME = "truststore.jks";
+ @Mock
+ private EnvsForTls envsForTls;
+
+ @Test
+ public void shouldThrowExceptionWhenKeystorePathEnvIsMissing() {
+ // Given
+ when(envsForTls.getKeystorePath()).thenReturn(Optional.empty());
+ SslContextFactory sslContextFactory = new SslContextFactory(envsForTls);
+
+ // When, Then
+ Exception exception = assertThrows(
+ TlsConfigurationException.class, sslContextFactory::create
+ );
+ assertThat(exception.getMessage()).contains("KEYSTORE_PATH");
+ }
+
+ @Test
+ public void shouldThrowExceptionWhenKeystorePasswordEnvIsMissing() {
+ // Given
+ when(envsForTls.getKeystorePath()).thenReturn(Optional.of("keystore"));
+ when(envsForTls.getKeystorePassword()).thenReturn(Optional.empty());
+ SslContextFactory sslContextFactory = new SslContextFactory(envsForTls);
+
+ // When, Then
+ Exception exception = assertThrows(
+ TlsConfigurationException.class, sslContextFactory::create
+ );
+ assertThat(exception.getMessage()).contains("KEYSTORE_PASSWORD");
+ }
+
+ @Test
+ public void shouldThrowExceptionWhenTruststorePathEnvIsMissing() {
+ // Given
+ when(envsForTls.getKeystorePath()).thenReturn(Optional.of("keystore"));
+ when(envsForTls.getKeystorePassword()).thenReturn(Optional.of("password"));
+ when(envsForTls.getTruststorePath()).thenReturn(Optional.empty());
+ SslContextFactory sslContextFactory = new SslContextFactory(envsForTls);
+
+ // When, Then
+ Exception exception = assertThrows(
+ TlsConfigurationException.class, sslContextFactory::create
+ );
+ assertThat(exception.getMessage()).contains("TRUSTSTORE_PATH");
+ }
+
+ @Test
+ public void shouldThrowExceptionWhenTruststorePasswordEnvIsMissing() {
+ // Given
+ when(envsForTls.getKeystorePath()).thenReturn(Optional.of("keystore"));
+ when(envsForTls.getKeystorePassword()).thenReturn(Optional.of("password"));
+ when(envsForTls.getTruststorePath()).thenReturn(Optional.of("truststore"));
+ when(envsForTls.getTruststorePassword()).thenReturn(Optional.empty());
+ SslContextFactory sslContextFactory = new SslContextFactory(envsForTls);
+
+ // When, Then
+ Exception exception = assertThrows(
+ TlsConfigurationException.class, sslContextFactory::create
+ );
+ assertThat(exception.getMessage()).contains("TRUSTSTORE_PASSWORD");
+ }
+
+ @Test
+ public void shouldThrowExceptionWhenKeystoreIsMissing() {
+ // Given
+ when(envsForTls.getKeystorePath()).thenReturn(Optional.of(INVALID_KEYSTORE_PATH));
+ when(envsForTls.getKeystorePassword()).thenReturn(Optional.of("secret"));
+ when(envsForTls.getTruststorePath()).thenReturn(Optional.of("truststore.jks"));
+ when(envsForTls.getTruststorePassword()).thenReturn(Optional.of("secret"));
+ SslContextFactory sslContextFactory = new SslContextFactory(envsForTls);
+
+ // When, Then
+ assertThrows(
+ TlsConfigurationException.class, sslContextFactory::create
+ );
+ }
+
+ @Test
+ public void shouldThrowExceptionWhenKeystorePasswordIsWrong() {
+ // Given
+ String keystorePath = getResourcePath(VALID_KEYSTORE_NAME);
+ when(envsForTls.getKeystorePath()).thenReturn(Optional.of(keystorePath));
+ when(envsForTls.getKeystorePassword()).thenReturn(Optional.of(INVALID_KEYSTORE_PASSWORD));
+ when(envsForTls.getTruststorePath()).thenReturn(Optional.of(VALID_TRUSTSTORE_NAME));
+ when(envsForTls.getTruststorePassword()).thenReturn(Optional.of(VALID_TRUSTSTORE_PASSWORD));
+ SslContextFactory sslContextFactory = new SslContextFactory(envsForTls);
+
+ // When, Then
+ assertThrows(
+ TlsConfigurationException.class, sslContextFactory::create
+ );
+ }
+
+ @Test
+ public void shouldThrowExceptionWhenTruststoreIsMissing() {
+ // Given
+ String keystorePath = getResourcePath(VALID_KEYSTORE_NAME);
+ when(envsForTls.getKeystorePath()).thenReturn(Optional.of(keystorePath));
+ when(envsForTls.getKeystorePassword()).thenReturn(Optional.of(VALID_KEYSTORE_PASSWORD));
+ when(envsForTls.getTruststorePath()).thenReturn(Optional.of(INVALID_TRUSTSTORE_PATH));
+ when(envsForTls.getTruststorePassword()).thenReturn(Optional.of(VALID_TRUSTSTORE_PASSWORD));
+ SslContextFactory sslContextFactory = new SslContextFactory(envsForTls);
+
+ // When, Then
+ assertThrows(
+ TlsConfigurationException.class, sslContextFactory::create
+ );
+ }
+
+ @Test
+ public void shouldThrowExceptionWhenTruststorePasswordIsWrong() {
+ // Given
+ String keystorePath = getResourcePath(VALID_KEYSTORE_NAME);
+ String truststorePath = getResourcePath(VALID_TRUSTSTORE_NAME);
+ when(envsForTls.getKeystorePath()).thenReturn(Optional.of(keystorePath));
+ when(envsForTls.getKeystorePassword()).thenReturn(Optional.of(VALID_KEYSTORE_PASSWORD));
+ when(envsForTls.getTruststorePath()).thenReturn(Optional.of(truststorePath));
+ when(envsForTls.getTruststorePassword()).thenReturn(Optional.of(INVALID_TRUSTSTORE_PASSWORD));
+ SslContextFactory sslContextFactory = new SslContextFactory(envsForTls);
+
+ // When, Then
+ assertThrows(
+ TlsConfigurationException.class, sslContextFactory::create
+ );
+ }
+
+ @Test
+ public void shouldReturnSSLContext() throws TlsConfigurationException {
+ // Given
+ String keystorePath = getResourcePath(VALID_KEYSTORE_NAME);
+ String truststorePath = getResourcePath(VALID_TRUSTSTORE_NAME);
+ when(envsForTls.getKeystorePath()).thenReturn(Optional.of(keystorePath));
+ when(envsForTls.getKeystorePassword()).thenReturn(Optional.of(VALID_KEYSTORE_PASSWORD));
+ when(envsForTls.getTruststorePath()).thenReturn(Optional.of(truststorePath));
+ when(envsForTls.getTruststorePassword()).thenReturn(Optional.of(VALID_TRUSTSTORE_PASSWORD));
+ SslContextFactory sslContextFactory = new SslContextFactory(envsForTls);
+
+ // When
+ SSLContext sslContext = sslContextFactory.create();
+
+ // Then
+ assertNotNull(sslContext);
+ }
+
+ private String getResourcePath(String resource) {
+ return getClass().getClassLoader().getResource(resource).getFile();
+ }
+}
+
diff --git a/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/model/ClientConfigurationFactoryTest.java b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/model/ClientConfigurationFactoryTest.java
index c936ef5..f4f9249 100644
--- a/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/model/ClientConfigurationFactoryTest.java
+++ b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/configuration/model/ClientConfigurationFactoryTest.java
@@ -38,8 +38,8 @@
private final String CA_NAME_VALID = "caaaftest2";
private final String TIME_OUT_VALID = "30000";
private final String OUTPUT_PATH_VALID = "/opt/app/osaaf";
- private final String URL_TO_CERT_SERVICE_VALID = "http://cert-service:8080/v1/certificate/";
- private final String URL_TO_CERT_SERVICE_DEFAULT = "http://aaf-cert-service-service:8080/v1/certificate/";
+ private final String URL_TO_CERT_SERVICE_VALID = "https://cert-service:8443/v1/certificate/";
+ private final String URL_TO_CERT_SERVICE_DEFAULT = "https://aaf-cert-service:8443/v1/certificate/";
private final String CA_NAME_INVALID = "caaaftest2#$";
private final String OUTPUT_PATH_INVALID = "/opt//app/osaaf";
diff --git a/certServiceClient/src/test/java/org/onap/aaf/certservice/client/httpclient/HttpClientTest.java b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/httpclient/HttpClientTest.java
index 2a53941..60c2e93 100644
--- a/certServiceClient/src/test/java/org/onap/aaf/certservice/client/httpclient/HttpClientTest.java
+++ b/certServiceClient/src/test/java/org/onap/aaf/certservice/client/httpclient/HttpClientTest.java
@@ -66,7 +66,7 @@
statusLine = mock(StatusLine.class);
httpResponse = mock(CloseableHttpResponse.class);
- CloseableHttpClientProvider httpClientProvider = mock(CloseableHttpClientProvider.class);
+ CloseableHttpsClientProvider httpClientProvider = mock(CloseableHttpsClientProvider.class);
when(httpClientProvider.getClient()).thenReturn(closeableHttpClient);
String testCertServiceAddress = "";
diff --git a/certServiceClient/src/test/resources/keystore.jks b/certServiceClient/src/test/resources/keystore.jks
new file mode 100644
index 0000000..0de9a18
--- /dev/null
+++ b/certServiceClient/src/test/resources/keystore.jks
Binary files differ
diff --git a/certServiceClient/src/test/resources/truststore.jks b/certServiceClient/src/test/resources/truststore.jks
new file mode 100644
index 0000000..2686690
--- /dev/null
+++ b/certServiceClient/src/test/resources/truststore.jks
Binary files differ
diff --git a/certs/Makefile b/certs/Makefile
new file mode 100644
index 0000000..6d90f65
--- /dev/null
+++ b/certs/Makefile
@@ -0,0 +1,110 @@
+all: step_1 step_2 step_3 step_4 step_5 step_6 step_7 step_8 step_9 step_10 step_11 step_12 step_13 step_14 step_15
+.PHONY: all
+#Clear certificates
+clear:
+ @echo "Clear certificates"
+ rm certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12
+ @echo "#####done#####"
+
+#Generate root private and public keys
+step_1:
+ @echo "Generate root private and public keys"
+ keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \
+ -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \
+ -storepass secret -ext BasicConstraints:critical="ca:true"
+ @echo "#####done#####"
+
+#Export public key as certificate
+step_2:
+ @echo "(Export public key as certificate)"
+ keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc
+ @echo "#####done#####"
+
+#Self-signed root (import root certificate into truststore)
+step_3:
+ @echo "(Self-signed root (import root certificate into truststore))"
+ keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt
+ @echo "#####done#####"
+
+#Generate certService's client private and public keys
+step_4:
+ @echo "Generate certService's client private and public keys"
+ keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 730 \
+ -keystore certServiceClient-keystore.jks -storetype JKS \
+ -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \
+ -keypass secret -storepass secret
+ @echo "####done####"
+
+#Generate certificate signing request for certService's client
+step_5:
+ @echo "Generate certificate signing request for certService's client"
+ keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr
+ @echo "####done####"
+
+#Sign certService's client certificate by root CA
+step_6:
+ @echo "Sign certService's client certificate by root CA"
+ keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \
+ -outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth"
+ @echo "####done####"
+
+#Import root certificate into client
+step_7:
+ @echo "Import root certificate into intermediate"
+ cat root.crt >> certServiceClientByRoot.crt
+ @echo "####done####"
+
+#Import signed certificate into certService's client
+step_8:
+ @echo "Import signed certificate into certService's client"
+ keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt
+ @echo "####done####"
+
+#Generate certService private and public keys
+step_9:
+ @echo "Generate certService private and public keys"
+ keytool -genkeypair -v -alias aaf-cert-service -keyalg RSA -keysize 2048 -validity 730 \
+ -keystore certServiceServer-keystore.jks -storetype JKS \
+ -dname "CN=aaf-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \
+ -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false"
+ @echo "####done####"
+
+#Generate certificate signing request for certService
+step_10:
+ @echo "Generate certificate signing request for certService"
+ keytool -certreq -keystore certServiceServer-keystore.jks -alias aaf-cert-service -storepass secret -file certServiceServer.csr
+ @echo "####done####"
+
+#Sign certService certificate by root CA
+step_11:
+ @echo "Sign certService certificate by root CA"
+ keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \
+ -outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \
+ -ext SubjectAlternativeName:="DNS:aaf-cert-service,DNS:localhost"
+ @echo "####done####"
+
+#Import root certificate into server
+step_12:
+ @echo "Import root certificate into intermediate(server)"
+ cat root.crt >> certServiceServerByRoot.crt
+ @echo "####done####"
+
+#Import signed certificate into certService
+step_13:
+ @echo "Import signed certificate into certService"
+ keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias aaf-cert-service \
+ -storepass secret -noprompt
+ @echo "####done####"
+
+#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)
+step_14:
+ @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)"
+ keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \
+ -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret
+ @echo "#####done#####"
+
+#Clear unused certificates
+step_15:
+ @echo "Clear unused certificates"
+ rm certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr
+ @echo "#####done#####"
diff --git a/certs/certServiceClient-keystore.jks b/certs/certServiceClient-keystore.jks
new file mode 100644
index 0000000..f24908c
--- /dev/null
+++ b/certs/certServiceClient-keystore.jks
Binary files differ
diff --git a/certs/certServiceServer-keystore.jks b/certs/certServiceServer-keystore.jks
new file mode 100644
index 0000000..89605b6
--- /dev/null
+++ b/certs/certServiceServer-keystore.jks
Binary files differ
diff --git a/certs/certServiceServer-keystore.p12 b/certs/certServiceServer-keystore.p12
new file mode 100644
index 0000000..2106c81
--- /dev/null
+++ b/certs/certServiceServer-keystore.p12
Binary files differ
diff --git a/certs/root.crt b/certs/root.crt
new file mode 100644
index 0000000..faeee81
--- /dev/null
+++ b/certs/root.crt
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFlDCCA3ygAwIBAgIETsAy8jANBgkqhkiG9w0BAQwFADByMQswCQYDVQQGEwJQ
+TDEUMBIGA1UECBMLRG9sbnkgU2xhc2sxEDAOBgNVBAcTB1dyb2NsYXcxFTATBgNV
+BAoTDFJvb3QgQ29tcGFueTERMA8GA1UECxMIUm9vdCBPcmcxETAPBgNVBAMTCHJv
+b3QuY29tMB4XDTIwMDQwMzA5MTYxNloXDTMwMDQwMTA5MTYxNlowcjELMAkGA1UE
+BhMCUEwxFDASBgNVBAgTC0RvbG55IFNsYXNrMRAwDgYDVQQHEwdXcm9jbGF3MRUw
+EwYDVQQKEwxSb290IENvbXBhbnkxETAPBgNVBAsTCFJvb3QgT3JnMREwDwYDVQQD
+Ewhyb290LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAImm68wu
+rtdkVrC5JI2y53+DoVE4al7NxC2yHeVW0PRD3CgW1xba6dlSQoDQQKkDkxtuNhlU
+IQxU1bbKR6syqJgpJXwSDx4sl4J5lQGWN+iuNA72C1IyXATOgowGq6PbOVVTkApy
+3+ZZGBCmweTjhvddAO7k5p8v+ePt17VvBTxSt6rSvrkGMbpCxBGAPfGpL9xykm9Z
+okVSlA42gGhbra499QTT0Yc/WPPFotKkDKFGaDrLW3NYX1Lio11myYNvLOMwfSEV
+Xy9vkwxcdqFJpHjx+EVLLQXwkudZP+D53N4bk8nP3SacbZSQ/A85mZpWNtw+r9QL
+fZGecY1YIR0udLj66CIG3ybl3gSXX7TSRERTIMR6Um1lt+039FSa18mRBpQTCDXV
+tSL58Qs5BHFkCe0sGpY+XiSEypc6oYPf/7YjiTvMT/mHhDffrvFjhK+wP/oCIg8u
+vuPRoPWuyw41bBeFGitJgDn7E8p9B4K/1DCO/ZcjXiYMgn5Hwb3ojablYUeiXs99
+2AAV8gCceUCdgcP8d6wdAydOVljavkgHPG0IMbiVG1WT57oM3HQpejgpujlKDDsI
+bi9/lbcC/U0JoN9yAaJZFr7CXJrxRv8DWeTwzMTo203KHNu9roQiERd38P8Dp6AQ
+ivmqf0+0VZM3IpjWBYKM68tclHJcG+7wyFjvAgMBAAGjMjAwMB0GA1UdDgQWBBSN
+lFyR56zh67mnvYTmmgJQVxEJrjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB
+DAUAA4ICAQBczmFY0kmr1FK50glkT282ur0vukNtwXQNJONof3rYRqP2W98jID6D
+ayma0B4/H1EqCa0d66wRBxFdwW+MqOc4uWD3uUwgazrYD/Bv+V3aumaw8yX6vbyL
+hLNfpd4pViAEGtzYxYfMfFR6uzInF3NMpvt8OXCSGKiQjDMnMs0ekvUZLJm7yxwT
+Qr9aAEFYQYM/GstUC6qFfuUa4MaGvmyKWhZ10JoKXYbGGeFU4wI7Kzifh3VvawTg
+r314ZvQ3zpEwzNJpdvT5ZKuPvyN+drAKFpSPfOTFmmb3uF95FgYq33OFPpo7SR43
+tnw5u5YqKnsHmqCIRMctWiYZc8rBJ3+eBGmke6z/AN6FraG6Ejc8e4WPclrB8STb
++oB3a4Cvri1VHyodkm50Sb/d1FAMDXvzEPBfu2D0dVvOwOcISSN/MQUom8NN4YeI
+aEATdAPNkokgehOzZ1OPRv47FKYEVPCXjaZEWAC7NNmNiRn4RQOti0DlNrLL7Nx9
+vK09G0EnW01MO2ARRkZ3dog+Ph7orJQV3sd7TO4EEortqWtbegSH75ylyYw6rt/j
+uBzYtMOnEtnQKhxj4Wj7PO+StCgspoOByn0d+iSgDd2TlpWm4naP2pfFZT0R+TOH
+wzSH0F47TSfRd0++uEz/QhViybrvQK7yMt1G1YwZp2im+imuWwUC8Q==
+-----END CERTIFICATE-----
diff --git a/certs/truststore.jks b/certs/truststore.jks
new file mode 100644
index 0000000..c32d37f
--- /dev/null
+++ b/certs/truststore.jks
Binary files differ
diff --git a/compose-resources/client-configuration.env b/compose-resources/client-configuration.env
index e79aa61..bc62f1f 100644
--- a/compose-resources/client-configuration.env
+++ b/compose-resources/client-configuration.env
@@ -1,6 +1,6 @@
#Client envs
-REQUEST_URL=http://aafcert-service:8080/v1/certificate/
-REQUEST_TIMEOUT=1000
+REQUEST_URL=https://aaf-cert-service:8443/v1/certificate/
+REQUEST_TIMEOUT=10000
OUTPUT_PATH=/var/certs
CA_NAME=RA
#Csr config envs
@@ -11,4 +11,8 @@
STATE=California
COUNTRY=US
SANS=example.org
-
+#Tls config envs
+KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks
+KEYSTORE_PASSWORD=secret
+TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/truststore.jks
+TRUSTSTORE_PASSWORD=secret
diff --git a/docker-compose.yml b/docker-compose.yml
index 851ad31..1ce8ed4 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -18,16 +18,25 @@
networks:
- certservice
- certservice:
+ aaf-cert-service:
image: onap/org.onap.aaf.certservice.aaf-certservice-api:latest
- container_name: aafcert-service
volumes:
- ./certService/helm/aaf-cert-service/resources/cmpServers.json:/etc/onap/aaf/certservice/cmpServers.json
+ - ./certs/truststore.jks:/etc/onap/aaf/certservice/certs/truststore.jks
+ - ./certs/root.crt:/etc/onap/aaf/certservice/certs/root.crt
+ - ./certs/certServiceServer-keystore.jks:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.jks
+ - ./certs/certServiceServer-keystore.p12:/etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12
+ container_name: aafcert-service
ports:
- - "8080:8080"
+ - "8443:8443"
depends_on:
ejbca:
condition: service_healthy
+ healthcheck:
+ test: ["CMD-SHELL", "curl https://localhost:8443/actuator/health --cacert /etc/onap/aaf/certservice/certs/root.crt --cert-type p12 --cert /etc/onap/aaf/certservice/certs/certServiceServer-keystore.p12 --pass secret"]
+ interval: 10s
+ timeout: 3s
+ retries: 15
networks:
- certservice
diff --git a/docs/sections/configuration.rst b/docs/sections/configuration.rst
index d49c86b..d77a2da 100644
--- a/docs/sections/configuration.rst
+++ b/docs/sections/configuration.rst
@@ -20,7 +20,7 @@
.. code-block::
#Client envs
- REQUEST_URL=http://aaf-cert-service-service:8080/v1/certificate/
+ REQUEST_URL=http://aaf-cert-service:8080/v1/certificate/
REQUEST_TIMEOUT=1000
OUTPUT_PATH=/var/certs
CA_NAME=RA
@@ -77,7 +77,7 @@
imagePullPolicy: Always
env:
- name: REQUEST_URL
- value: http://aaf-cert-service-service:8080/v1/certificate/
+ value: http://aaf-cert-service:8080/v1/certificate/
- name: REQUEST_TIMEOUT
value: "1000"
- name: OUTPUT_PATH
diff --git a/pom.xml b/pom.xml
index 9780c8f..8698a28 100644
--- a/pom.xml
+++ b/pom.xml
@@ -114,18 +114,6 @@
<goal>repackage</goal>
</goals>
</execution>
- <execution>
- <id>pre-integration-test</id>
- <goals>
- <goal>start</goal>
- </goals>
- </execution>
- <execution>
- <id>post-integration-test</id>
- <goals>
- <goal>stop</goal>
- </goals>
- </execution>
</executions>
</plugin>
<plugin>